Transferring complaints to other bodies

Background

49.14 The Privacy Act contemplates the use of other bodies to resolve privacy complaints. For example, a privacy code approved under the Act may provide procedures for dealing with complaints under the code. The Privacy Act also vests the Commissioner with discretion to refer complaints to other bodies. Where the Commissioner forms the view that the complaint could have been made to the Human Rights and Equal Opportunity Commission (HREOC), the Commonwealth Ombudsman, the Postal Industry Ombudsman or the Public Service Commissioner, and would be dealt with more effectively or conveniently by one of those bodies, the Commissioner may decide not to investigate, or further investigate, the matter, and can transfer the complaint to the relevant body.[23]

49.15 Independent of the Privacy Act provisions, there are also several EDR schemes that have jurisdiction to deal with privacy complaints under their terms of reference, including the BFSO and the TIO.[24] Many credit providers already are members of industry-based EDR schemes, notably those involving the BFSO and the TIO. Veda Advantage, the main consumer credit reporting agency, also is a member of the BFSO. Issues regarding credit providers and EDR schemes are discussed in more detail in Chapter 59.

49.16 In its 2005 review of the private sector provisions of the Privacy Act (OPC Review), the OPC considered improving liaison with overlapping complaint handlers, to maximise efficiency and minimise confusion and costs for individuals and organisations.[25] In 2006, the OPC entered into a memorandum of understanding with the Commonwealth Ombudsman, to ‘facilitate the exchange of information, subject to the expectations of the individuals concerned, so that individuals with complaints can continue to have their concerns dealt with effectively and efficiently’.[26]

Submissions and consultations

Referrals to EDR Schemes

49.17 In DP 72, the ALRC identified support in submissions and consultations for empowering the Commissioner to transfer complaints to other bodies, and in particular, EDR schemes. The ALRC proposed that the Privacy Act should be amended to empower the Commissioner to decline to investigate, or investigate further, a complaint that already is being handled by an approved EDR scheme. The Commissioner also should be empowered both to decline to investigate a complaint and refer it on to an EDR scheme, where the Commissioner is satisfied that the complaint would be handled more suitably by that scheme.[27]

49.18 The proposal was supported by a number of stakeholders, including the OPC.[28] Privacy advocates supported the proposal on the basis that:

  • the EDR scheme is approved by the OPC;[29] and
  • there are appropriate review and appeal mechanisms in place.[30]

49.19 PIAC also submitted that the OPC should publish a list of approved EDR schemes on its website and that the criteria for approval should include a mechanism for reporting to the OPC on serious or systemic conduct.[31]

49.20 Two stakeholders did not support the proposal. In the view of these stakeholders, the OPC should be the only body to resolve privacy complaints as this would ensure consistency in approach.[32]

Referrals to state bodies

49.21 The ALRC also proposed that the Commissioner’s current delegation power in the Privacy Act be extended to empower the Commissioner to delegate to a state or territory authority all or any of the powers, including a power conferred by s 52, in relation to complaint handling conferred on the Commissioner by the Privacy Act.[33]

49.22 The OPC did not support this proposal, on the basis that it would introduce a level of complexity and uncertainty into the complaint-handling process. In the OPC’s view, if a function were delegated it would be necessary to ensure that the state or territory authority had complaint-handling processes and remedies that were consistent with those of the OPC. The OPC noted that the argument of proximity to the parties to a complaint was no longer as important as it had been in the past, given modern communication options such as email and voice and video conferencing.[34]

49.23 The OPC also argued that there would be resource implications arising from the proposal.

The Office is aware of other regulatory environments where such models have been adopted, resulting in significant complexity, uncertainty and funding difficulties. Such a model would require the Privacy Commissioner to be confident that the other complaint handling agency would interpret and apply the principles consistently, as well as follow the same processes as the Office. This could require significant training and development in the Office and would have resource implications. It would also be necessary to ensure that, where a determination was made, any decisions regarding remedies would be equivalent to the decision that would be made by the Privacy Commissioner.[35]

49.24 The Australian Privacy Foundation stated that it only would support the ALRC’s proposal if the proposal incorporated a guarantee that complaint mechanisms and remedies at the state and territory level were of at least the same standard as those provided in the Privacy Act.[36]

49.25 The Cyberspace Law and Policy Centre agreed that if the Commissioner transferred a complaint, this should be done only on the basis that the state or territory body is required to report to the Commissioner the details and outcome of the complaint resolution, and the Commissioner is required to publish those details to the same extent as any other complaint investigated by the Commissioner.[37]

49.26 A number of other stakeholders, however, expressed support for the ALRC’s proposal.[38] For example, Medicare Australia expressed the view that delegation could be helpful where the other authority can address issues other than the handling of personal information that might form part of the complaint, or where local knowledge could assist with resolution.[39]

49.27 In DP 72, the ALRC also proposed that the Commissioner should consider delegating the power to handle health information complaints under the Privacy Act to state and territory health complaint agencies.[40] Submissions and consultations dealing with this specific issue are discussed in Chapter 60. It is noted that the ALRC received support for that proposal from a diverse range of stakeholders.

ALRC’s view

Transferring complaints to EDR schemes

49.28 There is merit in recognising more formally the role of EDR schemes in handling privacy complaints. Schemes such as the BFSO and the TIO already resolve privacy complaints under their terms of reference and provide an efficient and binding avenue of complaint resolution for complainants and respondents.[41]

49.29 The Privacy Act should be amended to empower the Commissioner to decline to investigate, or investigate further, a complaint that already is being handled by a recognised EDR scheme. The Commissioner also should be empowered to decline to investigate a complaint and refer it on to an EDR scheme, where the Commissioner is satisfied that the complaint would be handled more suitably by the scheme. A greater role for EDR schemes in dealing with privacy complaints has the potential to increase efficiency in dispute resolution and to provide parties with a one stop shop for complaints that are partly about privacy and partly about service delivery.

49.30 In Chapter 59, the ALRC discusses an OPC concern that it be required to ‘approve’ an EDR scheme for the purposes of declining a complaint or referring its power. The use by the ALRC of the term ‘approved’ in the original proposal was not intended to indicate that the OPC would need to establish its ‘own separate benchmarks and an overall EDR scheme approval process’.[42] This would be a considerable burden on the OPC, and may duplicate the processes of other agencies that approve schemes as part of the legislation they administer. To make this distinction clearer, the recommendation should refer to OPC ‘recognition’, rather than approval, of EDR schemes.[43]

49.31 The ALRC notes that the Australian Securities and Investments Commission (ASIC) standard for approved EDR schemes requires that schemes report to ASIC on systemic issues and serious misconduct.[44] A similar reporting mechanism would be valuable in the privacy context to increase the OPC’s awareness of systemic issues.

49.32 Following implementation of these reforms, the OPC should publish a list of recognised EDR schemes on its website, to increase transparency and awareness of the referral process.

Referring complaints to state bodies

49.33 There could be similar benefits in using existing state complaint-handling bodies for the investigation and resolution of complaints under the Privacy Act. This would facilitate complaints being handled by local bodies, which can be more efficient and convenient for the complaint handler and the parties to the complaint.

49.34 The most effective and flexible mechanism to facilitate this movement of complaints is to extend the Commissioner’s delegation function in s 99 of the Privacy Act. As noted in DP 72, the Commissioner would not be required to delegate his or her functions unless he or she was of the view that it would be appropriate or effective to do so.

49.35 It is important to note that under such an arrangement, the state or territory authority would be empowered both to handle complaints under the Privacy Act and to exercise the powers of the Privacy Commissioner. The handling of complaints would, therefore, be consistent with the OPC’s complaint-handling process. The Commissioner also could include other stipulations in the arrangements surrounding any such delegation. The Commissioner should consider issues of capacity, expertise, and resources before entering into such an arrangement with a state or territory authority.

49.36 While the ALRC notes concerns about consistency in decision making, this concern could arise in any context where there are multiple decision makers. As long as the principles and powers under which the decision maker operates are the same, significant issues of inconsistency should not arise.

49.37 This recommendation is consistent with the view expressed in Chapter 60, that the Commissioner should consider delegating, where appropriate, the power to handle complaints under the Privacy Act in relation to health information to state and territory health complaint agencies.

Guidance

49.38 Given the ALRC’s recommendations to empower the Commissioner to transfer complaints to EDR schemes and delegate complaint-handling powers to state bodies, it would be beneficial to provide guidance on these different avenues of complaint handling to agencies, organisations and potential complainants. This could be part of a document setting out the OPC’s complaint-handling policies and procedures.[45]

Recommendation 49–2 The Privacy Act should be amended to empower the Privacy Commissioner to decline to investigate a complaint where:

(a) the complaint is being handled by an external dispute resolution scheme recognised by the Privacy Commissioner; or

(b) the Privacy Commissioner considers that the complaint would be more suitably handled by an external dispute resolution scheme recognised by the Privacy Commissioner, and should be referred to that scheme.

Recommendation 49–3 The Privacy Act should be amended to empower the Privacy Commissioner to delegate to a state or territory authority all or any of the powers in relation to complaint handling conferred on the Commissioner by the Act.

[23]Privacy Act 1988 (Cth)s 50.

[24] See Banking and Financial Services Ombudsman, Terms of Reference, 1 December 2004, [3.1]; Telecommunications Industry Ombudsman Constitution, 20 May 2006, [4.1].

[25] Office of the Privacy Commissioner, Getting in on the Act: The Review of the Private Sector Provisions of the Privacy Act 1988 (2005), 159–160.

[26] Office of the Privacy Commissioner, ‘Ombudsman and Privacy Commissioner to Streamline Joint Complaint Handling Processes’ (Press Release, 30 November 2006).

[27] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 45–2.

[28] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; Australian Government Department of Foreign Affairs and Trade, Submission PR 563, 24 January 2008; Australian Government Department of Agriculture‚ Fisheries and Forestry, Submission PR 556, 7 January 2008; Australian Government Centrelink, Submission PR 555, 21 December 2007; GE Money Australia, Submission PR 537, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Australian Federal Police, Submission PR 545, 24 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Veda Advantage, Submission PR 498, 20 December 2007; Australasian Compliance Institute, Submission PR 419, 7 December 2007.

[29] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[30] Ibid; Australian Privacy Foundation, Submission PR 553, 2 January 2008.

[31] Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[32] Confidential, Submission PR 536, 21 December 2007; Confidential, Submission PR 519, 21 December 2007.

[33] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 45–3.

[34] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007. Others that did not support the proposal included: Australian Direct Marketing Association, Submission PR 543, 21 December 2007; Confidential, Submission PR 519, 21 December 2007.

[35] Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[36] Australian Privacy Foundation, Submission PR 553, 2 January 2008. This view was shared by PIAC: Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[37] Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[38] Australian Bankers’ Association Inc, Submission PR 567, 11 February 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Australian Government Department of Human Services, Submission PR 541, 21 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Law Society of New South Wales, Submission PR 443, 10 December 2007; P Youngman, Submission PR 394, 7 December 2007.

[39] Medicare Australia, Submission PR 534, 21 December 2007.

[40] Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 56–1.

[41] Under the Terms of Reference of the BFSO, a determination issued by the BFSO is binding on the complainant and respondent if the complainant agrees to accept it in full and final settlement of the subject matter of the dispute: Banking and Financial Services Ombudsman, Terms of Reference, 1 December 2004, [7.12]. A similar approach is taken by the TIO: Telecommunications Industry Ombudsman Constitution, 20 May 2006, [6.1].

[42] See Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[43] For example, in the context of credit reporting complaints, the OPC can be expected to recognise EDR schemes already approved by ASIC under the Corporations Act 2001 (Cth) and those with another statutory basis, such as the TIO. The OPC could also recognise schemes that are certified by an independent third party as complying with the ASIC standard and other similar instruments: see Ch 59.

[44] Australian Securities and Investments Commission, Approval of External Complaints Resolution Schemes: ASIC Policy Statement 139, 8 July 1999, [PS 139.59].

[45] See Rec 49–8.